CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added 1 hour ago•2 views

CVE-2026-11603

The Product Filter Widget for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via 'argsfilterFormArray' Parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

6.1CVSS

Cvelist•added 3 hours ago•3 views

CVE-2026-41846 Spring Framework Cross-site Scripting via JSP Form Tags

5.9CVSS

EUVD•added 3 hours ago•3 views

EUVD-2026-35334

5.9CVSS5.4AI score

CVE•added 3 hours ago•6 views

CVE-2026-41846

The CVE concerns Spring Framework: JSP form tag attributes cssClass, cssErrorClass, and cssStyle in Spring MVC applications can be exploited to inject arbitrary HTML/JavaScript, enabling cross-site scripting (XSS). Affected versions are Spring Framework 7.0.0–7.0.7; 6.2.0–6.2.18; 6.1.0–6.1.27; 5....

5.9CVSS5.4AI score

CVE•added 3 hours ago•6 views

CVE-2026-11603

CVE-2026-11603 affects the WordPress plugin Product Filter Widget for Elementor , vulnerable in all versions up to 1.0.6. The root cause is reflected Cross-Site Scripting via the args[filterFormArray] parameter, due to insufficient input sanitization and output escaping. The endpoint is registere...

6.1CVSS5.7AI score

EUVD•added 3 hours ago•3 views

EUVD-2026-35316

6.1CVSS5.7AI score

Positive Technologies•added 7 hours ago•3 views

PT-2026-47657

5.9CVSS5.4AI score

CVE•added yesterday•8 views

CVE-2026-52778

YesWiki (PHP-based wiki) exposes a vulnerability in the Bazar form field calculator (CalcField.php) present before version 4.6.6. The code attempts to sanitize user-defined mathematical formulas using a complex recursive regex prior to passing them to PHP eval(), creating a surface for Regular Ex...

9.8CVSS6AI score

Exploits0References3

Cvelist•added yesterday•11 views

CVE-2026-11556 Tenda F451 Web Management WriteFacMac formWriteFacMac os command injection

A security flaw has been discovered in Tenda F451 1.0.0.7/1.0.0.9. Impacted is the function formWriteFacMac of the file /goform/WriteFacMac of the component Web Management Interface. Performing a manipulation of the argument mac results in os command injection. Remote exploitation of the attack i...

9CVSS

Exploits0References6

NVD•added yesterday•4 views

CVE-2026-49756

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in wojtekmach Req allows multipart parameter smuggling via attacker-influenced part metadata. Req.Utils.encodeformpart/2 in lib/req/utils.ex builds the per-part headers by interpolating the caller-supplied name, filename, an...

2.1CVSS

ATTACKERKB•added yesterday•2 views

CVE-2026-49756

Exploits0References5Affected Software1

CVE•added yesterday•6 views

CVE-2026-49756

CVE-2026-49756 describes a CRLF injection in Req.Utils.encode_form_part/2 of the Elixir Req library. User-controlled name, filename, or content_type are interpolated into Content-Disposition and Content-Type without escaping, allowing CRLFs to terminate header lines and add smuggled parts. This e...

Vulnrichment•added yesterday•3 views

CVE-2026-49756 Multipart form-data header injection in Req via unescaped name/filename/content_type

Cvelist•added yesterday•11 views

CVE-2026-49756 Multipart form-data header injection in Req via unescaped name/filename/content_type

2.1CVSS

EUVD•added yesterday•4 views

EUVD-2026-35096

OSV•added yesterday•2 views

EEF-CVE-2026-49756 Multipart form-data header injection in Req via unescaped name/filename/content_type

Summary Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in wojtekmach Req allows multipart parameter smuggling via attacker-influenced part metadata. Req.Utils.encodeformpart/2 in lib/req/utils.ex builds the per-part headers by interpolating the caller-supplied name,...